WordPress Plugin Vulnerabilities

RSVPMaker < 9.2.7 - Unauthenticated SQLi

Description

The plugin is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file.

Affects Plugins

Plugin icon
rsvpmaker
Fixed in 9.2.7

References

CVE
CVE-2022-1505
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1505

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Tobias Kay Dala (oxnan)
Verified
Yes
WPVDB ID
9aef0c9a-f88f-41b5-82e5-e583a07ec93c

Timeline

Publicly Published
2022-04-27 (about 4 years ago)
Added
2022-04-27 (about 4 years ago)
Last Updated
2022-04-28 (about 4 years ago)

Other

Published
Title
Published
2023-02-06
Title
GigPress <= 2.3.28 - Subscriber+ SQLi
Published
2015-07-08
Title
Pretty Link Lite <= 1.6.7 - Authenticated SQL Injection
Published
2023-04-19
Title
Accessibility Suite by Online ADA < 4.13 - Subscriber+ SQLi
Published
2021-10-05
Title
WP Bannerize 2.0.0 - 4.0.2 - Authenticated SQL Injection
Published
2024-06-19
Title
WP Hotel Booking < 2.1.1 - Unauthenticated SQL Injection